This morning’s Irish Times reports on a change to a Health Service Executive policy I never knew existed. Until now, Irish hospitals provided members of the clergy with access to patient admission records. This practice, the article reports, “has been stopped by recent data protection legislation.”
I was surprised by the reference in the article to “recent data protection legislation” and “new legislation”. The main Irish legislation in this area is the Data Protection Act 1988. It was amended in 2003. There are a number of regulations affecting those Acts but the most recent relates only to the Director of Corporate Enforcement.
So, is the new legislation referred to the 8 year old act or the 23 year old one?
The truth is, one might reasonable speculate, that the consequences of long-standing legislative requirements have recently been considered by the HSE and they changed their policy accordingly. [I since found that the Offaly Independent reported on this story last Friday, without any indication that the legislative requirement which led to the policy change was new or recent.]
Information on an individual’s health is sensitive personal data for the purposes of the Acts and is the category of personal information that is subject to the strongest protections.
The Data Protection Commissioner has published a guidance note on the application of the Acts to the health sector. That note begins with the following, non-legislative point:
The confidentiality of patient records forms part of the ancient Hippocratic oath, and is central to the ethical tradition of medicine and health care.
It goes on to say that
Given the immense sensitivity of health-related information, it is imperative that professionals in this sector be clear about their use of personal data.
This recent, very much belated, change of policy by the HSE suggests that the organisation may have some distance to travel in this regard.